Skip to content

Instantly share code, notes, and snippets.

@jpopesculian

jpopesculian/Makefile

Last active July 19, 2021 12:39
Show Gist options
  • Save jpopesculian/7893c8f2a2d764af178d7e1f1b56e711 to your computer and use it in GitHub Desktop.
Save jpopesculian/7893c8f2a2d764af178d7e1f1b56e711 to your computer and use it in GitHub Desktop.
Download ZIP
SGX Install
Raw
README.md

Ubuntu 20.04 SGX Installer

The Makefile includes useful install scripts for install the SGX SDK as well as the SGX driver. The prerequisites are to have Ubuntu 20.04 installed as well as have SGX enabled in the BIOS

Installing the SGX SDK

The first step is to install the SGX SDK as well as build tooks for the driver. This can be done with

make sgx-sdk

Creating a MOK key

A MOK key is necessary for signing any custom drivers. Creating one at /user/modules/MOK.(key|der) can be done by running

make mok-key

You'll need to set an arbitrary password during the creation process that you will have to remember during the Secure Boot import process. After creating the MOK key, to import it into the Secure Boot:

  1. Restart your computer
    • A blue screen should appear. If it does not, repeat the steps for creating a MOK key above.
  2. Select Enroll
  3. Select Continue
  4. Enter password
  5. Reboot

Installing the SGX driver

To install the SGX driver (after creating the MOK key) do the following

make sgx-driver

You can verify the driver is installed by doing

ls /dev | grep sgx

and /dev/isgx or similar should be installed. This needs to be done for every kernel version. So if you ever do a dist-upgrade or otherwise find your /dev/isgx missing for any reason just perform make sgx-driver again

Raw
Makefile
help:
@echo "View README for more info"
.PHONY: help
# SGX Driver
sgx-driver: install-sgx-driver sign-sgx-driver
install-sgx-driver:
curl -s https://download.01.org/intel-sgx/latest/linux-latest/distro/ubuntu20.04-server/driver_readme.txt | awk '{ print $$3 }' | grep -v "^#\|^$$" | head -n 1 | awk '{print "https://download.01.org/intel-sgx/latest/linux-latest/distro/ubuntu20.04-server/"$$1}' | xargs curl -o /tmp/install-sgx-driver
sudo chmod +x /tmp/install-sgx-driver
sudo /tmp/install-sgx-driver
.PHONY: install-sgx-driver
sign-sgx-driver:
sudo /usr/src/linux-headers-$$(uname -r)/scripts/sign-file sha256 /usr/modules/MOK.priv /usr/modules/MOK.der $$(modinfo -n isgx)
sudo modprobe isgx
.PHONY: sign-sgx-driver
# MOK key
mok-key: /usr/modules/MOK.der
sudo mokutil --import /usr/modules/MOK.der
.PHONY: create-mok-key
/usr/modules/MOK.der:
openssl req -new -x509 -newkey rsa:4096 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Driver Signer/"
sudo mkdir -p /usr/modules
sudo mv MOK.der /usr/modules
sudo mv MOK.priv /usr/modules
sudo chown -R root:root /usr/modules
# PSW / aesmd service / SGX SDK
sgx-sdk: apt-repos apt-get
apt-repos:
curl -s https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(shell lsb_release -cs) main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
.PHONY: apt-repos
apt-get:
sudo apt-get update
sudo apt-get install -y \
build-essential \
libsgx-enclave-common-dev \
libsgx-headers \
libssl-dev \
sgx-aesm-service
.PHONY: apt-get
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment